Don't Trust That Text

A flaw discovered in Apple's iOS operating system could help hackers spoof text-message conversations and ply info from targets who think they're communicating with a trusted friend. "SMS should not be considered a secure communication method," said Lookout Mobile Security's Derek Halliday. "Users should not be willing to disclose information over SMS that they expect to be secure."

By John P. Mello Jr.
Aug 20, 2012 6:00 AM PT

A well-known iOS hacker who uses the handle "pod2g" revealed a flaw in Apple's mobile operating system, iOS, that he says can be exploited to alter the "reply to" information in SMS messages.

Such a tactic could be used by cybermiscreants to pry sensitive information from the recipient of a message or divert them to a malicious website.

One of the problems with SMS messages is they only display the sender's number, according to Derek Halliday, senior security product manager at Lookout Mobile Security.

"The ideal implementation would give you context both about the origin number as well as the number you will reply to if you respond to the message," he told TechNewsWorld. "Having only one number displayed definitely leaves ambiguity if they are different."

He warned text messaging lovers:

"SMS should not be considered a secure communication method. Users should not be willing to disclose information over SMS that they expect to be secure, nor should they assume that it is a trustworthy channel for communications with their banking or other significant service providers."

More Middle East Malware Mayhem

Recent cyber attacks on Middle Eastern targets have been attributed to super malware programs suspected to be the work of nation-states. But that doesn't seem to be the case last week with the assault on the computers of Saudi Aramaco.

The company revealed the cyberforay on its Facebook page. It said it had disconnected all its electronic systems from the outside world as a "precautionary measure" following a disruption to its computer systems. The suspected cause of the disruption: a virus attack.

The assault on the Aramco systems affected some individual workstations but not the primary components of the network, the company said. Neither did it disrupt the company's industrial systems.

"This attack isn't on the same professional level as Flame, Stuxnet, Gauss or Duqu," Eric Byres, CTO and vice president for engineering for Belden's Tofino Security Products, told TechNewsWorld.

"It looks like they may have learned a few tricks from Stuxnet," he added. "They're not using the code, but they're using some of the concepts."

Unlike state-engineered malware, the Aramco hackers, who call themselves the "Arab Youth League," produced software that lacked subtlety, he observed. "It's not trying to stay under the radar," he observed.

"It destroys machines," he explained. "When machines are going down left, right and center around you, you know there's a problem."

One disturbing aspect of the attack is Aramco's shutting down of Internet access, according to Jeffrey Carr, CEO of Taia Global. It appears they had systems connected to the Internet that shouldn't have been connected to the Internet.

"If that's the case," he told TechNewsworld, "then they certainly are vulnerable to a hacker group with a relatively low skill level."

He reasoned that the hackers wanted to "make a statement" and weren't concerned with disrupting Aramco's industrial systems, as Stuxnet did to Iran's nuclear program.

"If your target was the PLCs [chips that control industrial processes], you wouldn't announce yourself by doing something so obvious as attacking the business network," he observed.

Malware-Sniffing Algorithm

An efficient way to ferret out the sources of malware and spam has been developed by a team of Swiss scientists.

The boffins have developed an algorithm that can identify the sources of online nastiness like spam and malicious software by monitoring a small percentage of the connections in a network.

Checking all the nodes on the Internet to target the sources of spam and malware is impossible, but with the algorithm -- described in a paper titled "Locating the Source of Diffusion in Large-scale Networks" published in Physical Review Letters on Aug. 10 -- those sources can be identified with 10 to 20 percent of the nodes on a network, sometimes even less.

The algorithm developed by the researchers at the Audiovisual Communications Laboratory of the Swiss Federal Institute of Technology can be useful for more than combatting the dregs of the Internet. It could also be used to identify the source of biological diseases like SARS.

Breach Diary

Aug. 13: WikiLeaks, known for posting classified government documents to the Web, is online again after prolonged Distributed Denial of Service Attack (DDoS) disrupted service at the site for a week. A group calling itself "Anti Leaks" is claiming credit for the attack.

Aug. 14: Oracle released a patch to its server product to correct a flaw revealed at Black Hat 2012 by David Litchfield of Accuvant Labs. The vulnerability could be exploited to obtain credentials that could be used to hijack control of a server running Oracle's software.

Aug. 14: Apria Healthcare revealed that protected health information, including Social Security numbers, names and birth dates of as many of 11,000 patients may have been compromised when a laptop was stolen from the locked car of an employee in Phoenix, Ariz.

Aug. 15: Someone calling him or herself "The Man Behind Anonymous" claimed to have stolen from the Sony PlayStation Network 50 GB of user data. The claim was latter proved to be hoax.

Aug. 15: Sega Japan issued a security warning to account holders of Sega ID about a malicious party attempting to login to numerous Sega ID accounts. No information was released as to how many accounts may have been compromised. The company urged Sega ID users to change their passwords.

Aug. 16: The Washington [D.C.] Metropolitan Area Transit Authority disclosed that it is working to fix a flaw in computer systems that could allow unauthorized persons to access the personal information of anyone who has applied for a job at the authority.

Aug. 16: Symantec reported that it plugged a hole in its Norton Online Backup service that allowed some of its users to view backups of other user's data on the system.